Exemple #1
0
def test_custom_tls_certs() -> None:
    with run_test_server(("127.0.0.1", 12345),
                         cert=UNTRUSTED_CERT,
                         key=UNTRUSTED_KEY) as untrusted_url:
        with open(UNTRUSTED_CERT) as f:
            untrusted_pem = f.read()

        for kwargs, raises in [
            ({
                "noverify": True
            }, False),
            ({
                "noverify": False
            }, True),
            ({
                "cert_pem": untrusted_pem
            }, False),
            ({}, True),
        ]:
            assert isinstance(kwargs, dict)
            cert = certs.Cert(**kwargs)

            # Trusted domains should always work.
            request.get(TRUSTED_DOMAIN, "", authenticated=False, cert=cert)

            with contextlib.ExitStack() as ctx:
                if raises:
                    ctx.enter_context(
                        pytest.raises(requests.exceptions.SSLError))
                request.get(untrusted_url, "", authenticated=False, cert=cert)
Exemple #2
0
 def wait_for_master(self, timeout: int = 5 * 60) -> None:
     cert = None
     if self.parameters[constants.cloudformation.MASTER_TLS_CERT]:
         cert = certs.Cert(noverify=True)
     master_url = self._get_master_url()
     return healthcheck.wait_for_master_url(master_url,
                                            timeout=timeout,
                                            cert=cert)
def _wait_for_master(address: str) -> None:
    print("Checking for master at", address)
    cert = certs.Cert(noverify=True)
    for _ in range(150):
        try:
            r = api.get(address, "info", authenticated=False, cert=cert)
            if r.status_code == requests.codes.ok:
                return
        except api.errors.MasterNotFoundException:
            pass
        print("Waiting for master to be available...")
        time.sleep(2)
    raise ConnectionError("Timed out connecting to Master")
Exemple #4
0
def main(args: List[str] = sys.argv[1:], ) -> None:
    # TODO: we lazily import "det deploy" but in the future we'd want to lazily import everything.
    parser = make_parser()

    full_cmd, aliases = generate_aliases(deploy_cmd.name)
    is_deploy_cmd = len(args) > 0 and any(args[0] == alias
                                          for alias in [*aliases, full_cmd])
    if is_deploy_cmd:
        from determined.deploy.cli import args_description as deploy_args_description

        add_args(parser, [deploy_args_description])
    else:
        add_args(parser, all_args_description)

    try:
        argcomplete.autocomplete(parser)

        parsed_args = parser.parse_args(args)

        def die(message: str, always_print_traceback: bool = False) -> None:
            if always_print_traceback or debug_mode():
                import traceback

                traceback.print_exc(file=sys.stderr)

            parser.exit(1, colored(message + "\n", "red"))

        v = vars(parsed_args)
        if not v.get("func"):
            parser.print_usage()
            parser.exit(2, "{}: no subcommand specified\n".format(parser.prog))

        try:
            # For `det deploy`, skip interaction with master.
            if is_deploy_cmd:
                parsed_args.func(parsed_args)
                return

            # Configure the CLI's Cert singleton.
            certs.cli_cert = certs.default_load(parsed_args.master)

            try:
                check_version(parsed_args)
            except requests.exceptions.SSLError:
                # An SSLError usually means that we queried a master over HTTPS and got an untrusted
                # cert, so allow the user to store and trust the current cert. (It could also mean
                # that we tried to talk HTTPS on the HTTP port, but distinguishing that based on the
                # exception is annoying, and we'll figure that out in the next step anyway.)
                addr = api.parse_master_address(parsed_args.master)
                check_not_none(addr.hostname)
                check_not_none(addr.port)
                try:
                    ctx = SSL.Context(SSL.TLSv1_2_METHOD)
                    conn = SSL.Connection(ctx, socket.socket())
                    conn.set_tlsext_host_name(
                        cast(str, addr.hostname).encode())
                    conn.connect(
                        cast(Sequence[Union[str, int]],
                             (addr.hostname, addr.port)))
                    conn.do_handshake()
                    cert_pem_data = "".join(
                        crypto.dump_certificate(crypto.FILETYPE_PEM,
                                                cert).decode()
                        for cert in conn.get_peer_cert_chain())
                except crypto.Error:
                    die("Tried to connect over HTTPS but couldn't get a certificate from the "
                        "master; consider using HTTP")

                cert_hash = hashlib.sha256(
                    ssl.PEM_cert_to_DER_cert(cert_pem_data)).hexdigest()
                cert_fingerprint = ":".join(chunks(cert_hash, 2))

                if not render.yes_or_no(
                        "The master sent an untrusted certificate chain with this SHA256 fingerprint:\n"
                        "{}\nDo you want to trust this certificate from now on?"
                        .format(cert_fingerprint)):
                    die("Unable to verify master certificate")

                certs.CertStore(certs.default_store()).set_cert(
                    parsed_args.master, cert_pem_data)
                # Reconfigure the CLI's Cert singleton, but preserve the certificate name.
                old_cert_name = certs.cli_cert.name
                certs.cli_cert = certs.Cert(cert_pem=cert_pem_data,
                                            name=old_cert_name)

                check_version(parsed_args)

            parsed_args.func(parsed_args)
        except KeyboardInterrupt as e:
            raise e
        except (api.errors.BadRequestException,
                api.errors.BadResponseException) as e:
            die("Failed to {}: {}".format(parsed_args.func.__name__, e))
        except api.errors.CorruptTokenCacheException:
            die("Failed to login: Attempted to read a corrupted token cache. "
                "The store has been deleted; please try again.")
        except EnterpriseOnlyError as e:
            die(f"Determined Enterprise Edition is required for this functionality: {e}"
                )
        except Exception:
            die("Failed to {}".format(parsed_args.func.__name__),
                always_print_traceback=True)
    except KeyboardInterrupt:
        # die() may not be defined yet.
        if debug_mode():
            import traceback

            traceback.print_exc(file=sys.stderr)

        print(colored("Interrupting...\n", "red"), file=sys.stderr)
        exit(3)